The Food and Drug Administration (FDA) continues to address potential cybersecurity issues implicated by the rise in digital health and digital medical devices.  In its latest move,  the FDA recently released a discussion paper, “Communicating Cybersecurity Vulnerabilities to Patients: Considerations for a Framework,” in which the agency provides key considerations for a digital medical device’s cybersecurity framework and seeks comment from all stakeholders (including the medical device industry) on best practices in communicating cybersecurity issues to patients.

As discussed below, these considerations emphasize the evolving responsibility that medical device manufacturers have in promptly and clearly communicating cybersecurity issues to patients and health care providers.

FDA’s key considerations for communicating cybersecurity issues

The draft discussion paper notes that the following elements are important to consider when developing a cybersecurity communication:

  • Interpretability
    In addressing the interpretability of the communication, the FDA emphasizes that a message about cybersecurity concerns should be (1) timely; (2) clearly written; and (3) instructive.

    With respect to timeliness, the FDA encourages prompt communication to patients, even if the cybersecurity issue is still unresolved.

    The communication should also be clearly written for the audience of patients, and it should take into consideration patient diversity.  The FDA recommends placing all relevant information at the beginning of the communication; reducing the use of technical jargon and acronyms; and defining these terms if it is necessary to use them.  Communications should be made available in different languages, ensuring the message (as translated) clearly conveys the issue.  The draft discussion paper also includes other technical guidance on drafting such communications, among them tips on the use of visual cues and different font styles, to emphasize important points.

    Lastly, the discussion paper says, the communication should include an action item for the patient.  If the cybersecurity issue is resolved, this may be in the form of clear instructions for updating the device or mobile phone app.  If the cybersecurity issue is unresolved, FDA advises the manufacturer to “clearly outline what patients can and cannot do.”

  • Risks and benefitsThe communication should clearly weigh the risks and benefits of the cybersecurity issue so that patients are informed about their choices in mitigating the cybersecurity issue.
  • Acknowledge the unknown
    The manufacturer should also communicate the extent to which potential problems caused by the cybersecurity issue are unknown.
  • Availability of information
    The draft discussion paper states that “[t]he FDA and industry share responsibility for communicating about cybersecurity risks,” and makes clear that the burden to identify this information should not be placed on the patient.  To that end, manufacturers should ensure that any cybersecurity communication about a device is easy to find in online searches, mobile-friendly, and accessible for individuals with disabilities.

FDA’s growing attention to cybersecurity issues in digital medical devices

As discussed in our 2019 article on FDA’s draft guidance on the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, the FDA continues to hone in on manufacturers’ responsibilities for conveying cybersecurity issues to patients.

This new draft discussion paper and the FDA’s solicitation for comment from the medical device industry is an opportunity for manufacturers to play an active role in developing industry best practices and providing feedback on potential future premarket requirements for medical devices.

Any comments to the draft discussion paper must be submitted by December 21, 2020.

Learn more about the implications of the draft discussion paper for your business by contacting either of the authors.